TWC: Small: Collaborative: Automated Detection and Repair of Error Handling Bugs in SSL/TLS Implementations

TWC：小：协作：自动检测和修复 SSL/TLS 实现中的错误处理错误

• 批准号: 1946068
• 负责人: Baishakhi Ray
• 金额: $ 4.31万
• 依托单位: Columbia University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-01-01 至 2019-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1946068&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Automated; Detection

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols are critical to internet security. However, the software that implements SSL/TLS protocols is especially vulnerable to security flaws and the consequences can be disastrous. A large number of security flaws in SSL/TLS implementations (such as man-in-the-middle attacks, denial-of-service attacks, and buffer overflow attacks) result from incorrect error handling. These errors are often hard to detect and localize using existing techniques because many of them do not display any obvious erroneous behaviors (e.g., crash, assertion failure, etc.) but they cause subtle inaccuracies that completely violate the security and privacy guarantees of SSL/TLS. This project aims to improve error handling mechanisms in SSL/TLS implementations by building novel tools that reduce developer effort in writing and maintaining correct error handling code while making SSL/TLS implementations more secure and robust. This project develops a framework for improving the robustness of error handling code in SSL/TLS implementations. The framework has three main objectives. First, error specifications for different SSL/TLS functions are automatically inferred to learn how they communicate the failures. Next, the inferred specifications are used to build a tool for automatically detecting error handling bugs. Finally, the framework also provides new program repair tools that can automatically fix the detected bugs. Therefore, the framework provides end-to-end assistance in maintaining error-handling code in SSL/TLS implementations and thus significantly improves internet security.

安全套接字层 (SSL)/传输层安全 (TLS) 协议对于互联网安全至关重要。然而，实现 SSL/TLS 协议的软件特别容易受到安全漏洞的影响，后果可能是灾难性的。 SSL/TLS 实现中的大量安全缺陷（例如中间人攻击、拒绝服务攻击和缓冲区溢出攻击）都是由于错误处理不当造成的。 这些错误通常很难使用现有技术来检测和定位，因为其中许多错误不会显示任何明显的错误行为（例如崩溃、断言失败等），但它们会导致微妙的不准确，完全违反 SSL/ TLS。该项目旨在通过构建新颖的工具来改进 SSL/TLS 实现中的错误处理机制，减少开发人员编写和维护正确的错误处理代码的工作量，同时使 SSL/TLS 实现更加安全和健壮。该项目开发了一个框架，用于提高 SSL/TLS 实现中错误处理代码的稳健性。该框架具有三个主要目标。首先，自动推断不同 SSL/TLS 函数的错误规范，以了解它们如何传达故障。接下来，推断的规范用于构建自动检测错误处理错误的工具。最后，该框架还提供了新的程序修复工具，可以自动修复检测到的错误。因此，该框架在维护 SSL/TLS 实现中的错误处理代码方面提供了端到端的帮助，从而显着提高了互联网安全性。